b'Audit of NARA\'s Transition to Internet Protocol Version 6 \n\n                OIG Report No. 09-05 \n\n                   March 11,2009 \n\n\x0c                                                                      OIG Audit Report No. 09-05\n\n\n\nEXECUTIVE SUMMARY\nThe Internet protocol (lP) provides the addressing mechanism that defines how and\nwhere information such as text, voice, and video move across interconnected networks.\nInternet protocol version 4 (lPv4), which is widely used today, may not be able to\naccommodate the increasing number of global users and devices that are connecting to\nthe Internet. As a result, IP version 6 (lPv6) was developed to increase the amount of\navailable IP address space. Use of both IPv4 and IPv6 is expected to overlap for some\ntime and the hardware and software infrastructure needed to support both IPv4 and IPv6\npresents a challenge to the Federal Government.\n\nTo guide Federal Government agencies in their transition to IPv6, in August 2005, the\nOffice of Management and Budget (OMB) issued Memorandum M-05-22, "Transition\nPlanning for Internet Protocol Version 6", which outlined a transition strategy for\nagencies to follow and established the goal for all Federal agency network backbones to\nsupport IPv6 by June 30, 2008.\n\nFor this audit, we assessed NARA\'s efforts to transition to IPv6. Specifically, our\nobjective was to determine whether NARA was in compliance with the OMB mandate,\nand ifnot, to identify what major obstacles or challenges exist and whether a plan for\ncompliance has been developed.\n\nNARA did not comply with the OMB mandate because NARA has not verified whether\nthe network backbone is capable of supporting IPv6. Specifically, IPv6 testing on the\nproduction environment did not test NARA\'s ability to transport IPv6 traffic through all\ndevices in the core network and did not test whether NARA could successfully receive\nand transmit IPv6 traffic outside NARA\'s network. As a result, NARA does not have\nassurance that the planned implementation strategy will work.\n\nWe also found that additional work is needed in order for NARA to address future\nobstacles and challenges. For example, NH officials involved in planning for the\ntransition to IPv6 did not identify or address risks and challenges associated with the\ntransition. If not addressed, these risks and challenges may result in increased costs and\nsecurity risks associated with the transition to IPv6. In addition, new IT equipment\norders did not contain a requirement for products to be IPv6 compliant or interoperate\nwith both IPv4 and IPv6 systems. As a result, NARA may have to spend additional funds\nto acquire IPv6 compliant equipment.\n\nThis report contains five audit recommendations which upon implementation would both\nbring NARA into compliance with OMB requirements and provide the foundational\nstructure for transition to IPv6. However, full concurrence was not forthcoming from the\nCIO specific to four of the recommendations.\n\nThe first two recommendations put forth were grounded in OMB criteria which NARA\nfailed to address. We revised the recommendations to afford the CIO opportunity to seek\na waiver from defined OMB criteria. The CIO had no additional comments on the\nrevised recommendations and it is unclear whether the CIO will seek a waiver from\n\n\n                                          Page 1\n                       National Archives and Records Administration\n\x0c                                                                      OIG Audit Report No. 09-05\n\n\nOMB. As of the date of issuance of this report, NARA remains in non-compliance with\nOMB M-05-22.\n\nSpecific to the third recommendation, while the CIO indicates concurrence, she in fact\ndoes not concur with the breadth of the recommendation. She does not agree with the\nlanguage in our recommendation defining participants and scope of IPv6 training to be\nextended to those involved in IPv6 planning and execution.\n\nFinally, the CIO disagreed with the fifth recommendation that NARA Interim Guidance\n801-2 and Directive 805 identify IPv6 management controls to ensure IPv6 compliance.\nShe provides as her rational that this is unnecessary and unwarranted. We disagree with\nthis position as planning for new projeCts, systems, and associated procurements involve\nboth the capital planning and system development life cycle processes.\n\n\n\n\n                                          Page 2\n                       National Archives and Records Administration\n\x0c                                                                       OIG Audit Report No. 09-05\n\n\nBACKGROUND\nInternet Protocol (lP) is the "language" and set of rules computers use to talk to each\nother over the Internet. The existing protocol supporting the Internet today - Internet\nProtocol Version 4 (lPv4) - provides the world with only 4 billion IP addresses,\ninherently limiting the number of devices that can be given a unique, globally routable\naddress on the Internet. The emergence ofIPv6, providing the world with an\nexponentially larger number of available IP addresses, is essential to the continued\ngrowth of the Internet and development of new applications leveraging mobile Internet\nconnectivity. Although the information technology (IT) community has come up with\nworkarounds for this shortage in the IPv4 environment, IPv6 is the true long-term\nsolution to this problem. Use of both IPv4 and IPv6 is expected to overlap for some time.\nThe hardware and software infrastructure needed to support both IPv4 and IPv6 presents\na challenge to the Federal Government.\n\nIn August of2005, the Office of Management and Budget issued Memorandum M-05-22,\n"Transition Planning for Internet Protocol Version 6," establishing the goal of enabling\nall Federal government agency network backbones to support the IPv6 by June 30, 2008.\n\nThe memorandum required that the agency\'s network backbone be ready to transmit both\nIPv4 and IPv6 traffic, and support IPv4 and IPv6 addresses, by June 30,2008. Agencies\nwere to demonstrate they could perform at least the following functions, without\ncompromising IPv4 capability or network security:\n\n   \xe2\x80\xa2 \t Transmit IPv6 traffic from the Internet and external peers, through the network\n       backbone (core), to the LAN.\n\n   \xe2\x80\xa2 \t Transmit IPv6 traffic from the LAN, through the network backbone (core), out to\n       the Internet and external peers.\n\n   \xe2\x80\xa2 \t Transmit IPv6 traffic from the LAN, through the network backbone (core), to\n       another LAN (or another node on the same LAN).\n\nNARA\'s ChiefInformation Officer assigned the Chief Technology Officer to lead and\ncoordinate planning for IPv6. NARA\'s overriding strategy for the transition was to align\nall IPv6 implementation activities with other network engineering projects and business\napplication release schedules to eliminate the need for multiple and costly system testing\nand infrastructure recertification efforts. NARA planned to upgrade its IP-dependent\ndevices to IPv6 compliant levels and install, configure, and operate both IPv6 and IPv4\ninfrastructure on the network to provide IPv6 interoperability with external clients that\nmay require IPv6 addressing. This would address the OMB requirement of ensuring IPv6\ncompatibility and compliance. However, NARA would not operationally enable IPv6\nuntil: (a) the overall network architecture upgrade specified in the Enterprise Architecture\nwas complete, (b) the business applications move to IPv6 compliant environments as part\nof their product update and release strategies, and (c) IPv6 is mature, widely deployed\nacross the Internet, and fully supported by the IT industry.\n\n\n\n                                           Page 3\n                        National Archives and Records Administration\n\x0c                                                                       OIG Audit Report No. 09-05\n\n\n\nOJECTIVE, SCOPE, METHODOLOGY\n\nThe objective ofthis audit was to assess NARA\'s efforts to transition to IPv6.\nSpecifically, we determined whether NARA was in compliance with the OMB mandate,\nand if not, to identify what major obstacles or challenges exist and whether a plan for\ncompliance has been developed.\n\nThe audit was conducted at Archives II in College Park, MD, primarily with the Office of\nInformation Services (NH). We also contacted the Acquisition Services Division (NAA).\n\nIn support of the audit objective, we evaluated NARA\'s actions and responses to OMB\nMemorandum 05-22 milestones for transitioning to IPv6. We reviewed additional\nguidelines and procedures issued by the Federal Chief Information Officers Council\n(CIOC) Architecture and Infrastructure\'s Committee and the National Institute of\nStandards and Technology\'s Special Publication 500-267 "A Profile for IPv6 in the U.S.\nGovernment - Version 1.0," July 2008 in support of OMB M-05-22.\n\nTo determine whether NARA was in compliance with the OMB mandate, we analyzed\nthe planning activities completed, identified devices within the NARA infrastructure,\nobtained and reviewed test results, reviewed the controls in place over the acquisition and\nprocurement process and reviewed the actions taken to address security risks associated\nwith the transition to IPv6. We reviewed progress reports submitted to OMB to\ndetermine whether any challenges, risks, or other issues were identified by NARA.\n\nTo determine whether NARA adequately planned for the transition we reviewed the IPv6\nTransition Strategy, Implementation Plan, and meeting notes from various planning\nmeetings held between January 2006 and December 2007. We also interviewed the IPv6\nProject Lead along with support contractors who wrote the planning documentation.\n\nTo determine whether NARA\'s infrastructure contained IPv6 compliant devices we\nobtained copies of equipment inventories submitted to OMB along with reports generated\nfrom an automated monitoring tool to detect devices currently attached to the network\nand the operating software loaded on the devices. We also reviewed NARANET\ninfrastructure drawings current as of May 2008. We compared the devices in the network\nand the operating software to those devices used during IPv6 testing in the production\nenvironment. We reviewed the test plan and test results documented to determine\nwhether NARA tested the scenarios required by OMB and the CIO Council in their\nDemonstration Plan.\n\nTo determine whether controls were in place to ensure new IT procurements were IPv6\ncompliant, we interviewed NH officials to determine the procurement process for new IT\norders and reviewed existing Information Management Directives and NARA acquisition\npolicy. We selected nine IT procurements occurring between September 2005 and\nSeptember 2008 and reviewed the product plan (if available), solicitation documentation,\nand the resulting contract to determine whether the requirement for IPv6 compliant\nequipment was included.\n\n\n\n                                           Page 4\n                        National Archives and Records Administration\n\x0c                                                                      OIG Audit Report No. 09-05\n\n\nTo determine whether NARA has taken action to address security risks we evaluated the\nrisks identified in the IPv6 Impact Analysis and reviewed whether NH officials and IT\nstaff (including contractors) responsible for implementing IPv6 received training.\n\nOur audit work was performed at Archives II in College Park, MD between March 2008\nand January 2009. We conducted this performance audit in accordance with generally\naccepted government aUditing standards. Those standards require that we plan and\nperform the audit to obtain sufficient, appropriate evidence to provide a reasonable basis\nfor our findings and conclusions based on our audit objectives. We believe that the\nevidence obtained provides a reasonable basis for our findings and conclusions based on\nour audit objectives.\n\n\n\n\n                                          Page 5\n                       National Archives and Records Administration\n\x0c                                                                               OIG Audit Report No. 09-05\n\n\nFINDINGS AND RECOMMENDATIONS\nTesting Was Not Adequate to Demonstrate IPv6 Compliance\n\nIPv6 testing on the production environment did not demonstrate NARA\'s ability to\nsuccessfully transport IPv6 traffic on the network backbone. This occurred because NH\nofficials did not use the ChiefInformation Officer (CIO) Council\'s Demonstration plan in\ndeveloping their test plan and NARA did not contact any external agencies to partner\nwith to complete the testing. By June 30, 2008, agencies were to confirm to OMB that\nthey could: transmit IPv6 traffic to and from the Internet and external peers and transmit\nIPv6 traffic from the Local Area Networkl (LAN) to another LAN. As a result of\nperforming only limited testing, NARA does not have assurance that the planned\nimplementation of a dual-stack IPv6 and IPv4 architecture on NARANET will work.\n\nBy June 30, 2008, agencies were to confirm to OMB that they could:\n\n    \xe2\x80\xa2 \t Transmit IPv6 traffic from the Internet and external peers, through the network\n        backbone (core) to the LAN;\n\n    \xe2\x80\xa2 \t Transmit IPv6 traffic from the LAN, through the network backbone (core), out to\n        the Internet and external peers;\n\n    \xe2\x80\xa2 \t Transmit IPv6 traffic from the LAN, through the network backbone (core), to\n        another LAN (or another node on the same LAN).\n\nThe CIO Council issued additional guidance and procedures to be used by agencies in\ndemonstrating IPv6 compliance. This demonstration plan provided detailed procedures\non how to conduct the testing, success criterion, and the documentation of the test results.\n\nThe OMB deadline of June 30, 2008 has passed however, NARA has not verified\nwhether the network backbone is capable of supporting IPv6. Specifically, IPv6 testing\non the production environment did not test NARA\'s ability to successfully transport IPv6\ntraffic through all devices in the core network and did not test whether NARA could\nsuccessfully receive and transmit IPv6 traffic outside NARA\'s network.\n\nInstead of using the test scripts identified in the CIO Council\'s Demonstration Plan, the\nChief Technology Officer (CTO) along with support contractors developed seven\nscenarios to test for the June 2008 deadline. Test scenarios involved running a ping2\ncommand between six routers at the selected NARA sites. As shown in Figure 1 below,\nthe scenarios included six different NARA sites using two types of Cisco routers.\n\n\n\n\n1 For the demonstrations, the term "LAN" represents IPv6-configured pes or Laptops directly connected to \n\nIPv6 devices (routers, switches) in an Agency\'s operational core backbone network. \n\n2 Ping is a computer network tool used to test whether a particular host is reachable across an IP network. \n\n\n\n                                               Page 6\n                            National Archives and Records Administration\n\x0c                                                                                                       OIG Audit Report No. 09-05\n\n\n\n          Figure 1. IPv6 Production Verification Testing Overview\n\n                                                                     Tcst# 1\n\n\n\n\n                        \'I\n                         \\\n\n                                                                                               Tut#2\n                               \\\n                                   \\\n                                           \\\n                                                \\\n                                                        \\\n          East                                              \\                                East\n                                                                 \\   /\n\n\n                                                                 /   \\\n          West                                               /           \\                   West\n                                                        l\'\n                                                        (\n\n\n                                                    i\n                                                I\n                                           ,/\n                                   i\n                                       /\n                     Test#3 /\n\n\n\n\n                                                                     Source: NARA IPv6 Production Verification Results\n\nNARA used two Cisco 7206 VXR routers, four Cisco 3845 routers and six Dell laptops\nusing Windows XP to perfonn the testing. The tests did not include additional routers\nand switches identified in NARANET infrastructure drawings as part ofNARA\'s core\nbackbone network.\n\nAccording to the CTO, NARA\'s core backbone network consists of ------------------------\xc2\xad\n------------------------------redacted pursuant to FOIA exemption "high" b(2)-----------------\xc2\xad\n\n\n\n------. These devices should have been included in the IPv6 production verification\ntesting.\n\nAfter NARA conducted its test ofthe production network an NH official reported to\nOMB that testing addressed the scenarios identified by OMB and the tests were\nsuccessful. However, the production testing did not include tests to verify NARA\'s\n\n                                                Page 7\n                             National Archives and Records Administration\n\x0c                                                                              OIG Audit Report No. 09-05\n\n\nability to transmit and receive IPv6 traffic from an external network3 . According to a\nsummary of the test scenarios included in the verification results, NARA\'s Internet\nService Provider could not provide a native IPv6 Internet environment to interface with\nthe NARANET production infrastructure at the time of the test, therefore NARA\nemulated in previous tests4 an external IPv6 network to pass native IPv6 traffic to and\nfrom NARANET. Guidance from the CIO Council addressed this limitation stating if an\nagency\'s ISP is not IPv6 enabled or does not offer IPv6 internet services, a static IPv6\nover IPv4 tunnel can be used between the agency gateway and the corresponding internet\nborder gateway.\n\nAccording to OMB, agencies were required to ensure their network backbones were IPv6\ncapable. Agencies were to demonstrate this capability by completing the tests identified\nin the CIO Council test guidance. However, NH officials did not use the CIO Council\'s\nDemonstration Plan and instead, wrote their own test scenarios. In December 2007, the\nCTO made the decision that the production testing would be internal only because testing\nwith an external partner would have to be done using a tunnel5 which the CTO believed\nwould not have any significance. No attempt was made to contact external agencies to\ndiscuss partnering for the tests.\n\nThe purpose of the testing was to demonstrate IPv6 compliance by showing that IPv6\ntraffic could be successfully transported (i.e., received, processed, forwarded) through all\nIPv6 devices in NARA\'s operational core network. In addition, the tests were to confirm\nthat NARA could transmit IPv6 traffic to and from the Internet and external peers as well\nas transmit traffic from the LAN to another LAN. However, based on the limitations of\nthe testing, NARA does not have assurance that the core network is capable of supporting\nIPv6 traffic. NARA should conduct IPv6 testing using the procedures outlined in the\nCIO Council\'s demonstration plan.\n\nManagement Comments on the Finding.\n\nThe Assistant Archivist for Information Services/CIO (hereafter referred to as the CIO)\nbelieved that NARA\'s actions substantively addressed the requirements to develop an\nIPv6 test plan as set forth by the OMB mandate and supplemental OMB guidance. She\nalso believed that the tests conducted in the laboratory and on the production network\nconformed to OMB guidance and in her opinion; the testing unequivocally established\nthat NARA\'s core backbone is capable of carrying IPv6 and IPv4 traffic simultaneously.\nAccording to the CIO, NARA\'s network core consists of ----redacted pursuant to FOIA\nexemption "high" b(2)-----, therefore, the testing actually went beyond the requirement\nbecause the 3845 routers installed at the field sites are not part of the core network but\nwere tested.\n\n\n3 According to the CIO Council procedures, the tenn "Internet and external peers" refers to an external \n\nnetwork (i.e. a network owned and operated by an organization different from that Agency) chosen for the \n\ndemonstrations, and which may be from a partner Agency, an ISP, or other IPv6 organization. \n\n4 This previous testing was conducted in the system engineering lab environment in which a server was set \n\nup to simulate the Internet. \n\n5 Tunneling allows IPv6 packets to be sent between computers via IPv4 traffic. \n\n\n\n                                              Page 8\n                           National Archives and Records Administration\n\x0c                                                                       OIG Audit Report No. 09-05\n\n\nThe CIO clarified that their IPv6 tests were not "conformance" tests in the formal,\nengineering sense of that term and that any inference that OMB guidance provides true\nIPv6 conformance testing scenarios and procedures is mistaken. The CIO believes it is\nnot valid to imply that their engineering methods are non-conforming or invalid based\nupon general statements of intent in a policy mandate or because they did not exactly\nmirror a set of ad-hoc, test scenarios. In addition, the CIO did not believe that a test\npartner was needed to verify that the network backbone could transport IPv6 traffic.\n\nAudit Response\n\nThe test guidance issued by the CIO Council clearly established the scenarios agencies\nwere to perform and the success criterion agencies should use to demonstrate that their\ncore backbones were IPv6 capable. Testing was to be performed on all devices in\nNARA\'s operational core backbone network and was to include connectivity with an\nexternal network. NARA\'s testing did not meet either of these requirements therefore,\nwe do not agree that the testing unequivocally established that NARA\'s core backbone is\ncapable of carrying IPv6 traffic.\n\nWe revised this finding to clarify our position on the devices that should have been tested\nas part of the core network. We agree with NH officials that based on the definition of\ncore network provided in the CIO Council\'s Demonstration Plan, the 3845 routers would\nnot be considered part of the backbone network and removed that section from the report.\nHowever, we disagree that the core backbone consists of --redacted, "high" b(2)-\xc2\xad\nbecause those routers only aggregate traffic from NARA\'s field sites which does not\ninclude the majority of users at Archives I and Archives II.\n\nRecommendation 1\n\nThe Assistant Archivist for Information Services/CIO should ensure testing required by\nOMB and outlined in the Federal CIO Council Architecture and Infrastructure Committee\n"Demonstration Plan to Support Agency IPv6 Compliance," version 1.0 on NARA\'s\noperational core network is performed and the test results as required by the CIO Council\nto demonstrate compliance are documented or obtain a written waiver from OMB.\n\nManagement Comments\n\nThe CIO disagreed with this recommendation stating that she believes additional testing\nas per the OMB Demonstration Plan is unnecessary and that resources would be better\nspent on the overall NARANET reengineering project.\n\nAudit Response\n\nWe revised this recommendation to include the option for the CIO to either conduct the\nrequired testing or contact OMB to request a written waiver. The CIO had no additional\ncomments on the revised recommendation and it is unclear whether the CIO will seek a\nwaiver from OMB. NARA did not test all devices in its core network and did not test\nwhether NARA could transmit IPv6 traffic to and from the Internet and external peers as\nrequired by OMB. Instead of contacting OMB regarding their concerns with the test\n\n                                           Page 9\n                        National Archives and Records Administration\n\x0c                                                                      DIG Audit Report No. 09-05\n\n\nscenarios or their intent to deviate from the scenarios in the CIO Council\'s\nDemonstration Plan, NARA reported to OMB that IPv6 verification testing was\nperformed on the production network and testing "addressed the scenarios identified by\nOMB."\n\nThe requirement set by OMB was for Federal agencies to ensure their network backbones\nwere IPv6 capable and there were tests agencies were required to complete in accordance\nwith the CIO Council test guidance. If the CIO continues to believe that the required\ntesting is unnecessary, she should contact OMB to request a written waiver.\n\n\n\n\n                                         Page 10\n                       National Archives and Records Administration\n\x0cTransition Risks Not Identified or Addressed\n\nNH officials involved in planning for the transition to IPv6 did not identify or address\nrisks and challenges associated with the transition. This occurred because NH officials\nhave not updated the IPv6 Impact Analysis since June 2006 and based their planning\nactivities on the beliefthat NARA will not operationally enable IPv6 in the near term. If\nnot addressed, these risks and challenges may result in increased costs and security risks\nassociated with the transition.\n\nOMB Memorandum 05-22 required agencies to begin an impact analysis that included\nboth cost and risk elements. According to the memorandum, the risk analysis should\ninclude areas such as dependencies and interoperability issues, business risks, and\nsecurity risks. NARA\'s IPv6 Impact Analysis included a paragraph on each area\nassociated with IPv6 implementation required by OMB M-05-22 but did not fully address\nthe associated risks. For example, the Impact Analysis does not identify any\ndependencies or interoperability issues involved with IPv6 even though several NARA\nsystems were identified as dependent on the version ofIP that is used and did not support\nIPv6. According to the Impact Analysis, "this project is only dependent upon approval of\nthe funding and staffing that is required to implement it. It is completely self-contained\nand will not interoperate with any other system or project."\n\nThe Impact Analysis did not identify any business impact or risk associated with the\ntransition to IPv6. However, several critical NARA business applications, including the\nCase Management and Reporting System (CMRS) and the Archival Research Catalog\n(ARC), were found to be dependent upon the version ofIP that is used. According to the\nCTO, NARA has lots of homegrown applications that run on IPv4 and it has yet to be\ndetermined what percentage of those applications can easily use IPv6. The CTO also\nstated ARC and CMRS would require substantial work to be able to support IPv6.\n\nIn another example, the Impact Analysis considered IPv6 to be no more or less secure\nthan IPv4 and therefore, would not pose any new security risks to IT operations. Reports\nissued by the Government Accountability Office along with a Department of Homeland\nSecurity US-CERT advisory discuss multiple security issues concerning IPv6.\nAccording to GAO, IPv6 creates new opportunities for network abuse ifIPv6 capable\ndevices are not properly managed. Two IPv6 features-automatic configuration and\ntunneling-could present serious risks to federal agencies. Automatic configuration can\nfacilitate network attacks because a rogue or unauthorized router may reconfigure\nneighboring devices by assigning them new addresses and routes. Tunneling can permit\nunauthorized traffic into the network undetected. The US-CERT alert warned federal\nagencies that unmanaged, or rogue, implementations ofIPv6 present network\nmanagement security risks. NARA\'s Impact Analysis did not address these security\nrisks.\n\nThe IPv6 Impact Analysis identified training costs for 15 NH employees involved in the\nIPv6 transition however, training has not been provided. According to GAO, a challenge\nto the transition will be maintaining dual IPv4 and IPv6 environments for extended\nperiods of time. Maintaining two network protocols is challenging in that it adds\n\n                                          Page 11\n                        National Archives and Records Administration\n\x0c                                                                           DIG Audit Report No. 09-05\n\n\ncomplexity to network maintenance and associated costs are higher. It also requires\nskilled personnel and may be difficult to maintain hardware and software interoperability\nacross dual environments. NARA IPv6 planning documents did not address this\nchallenge.\n\nNH officials have not updated the IPv6 Impact Analysis since June 2006. At that time,\nNH officials based their planning activities on the belief that NARA will not\noperationally enable IPv6 in the near term. The impact analysis alludes to future risks\nonce IPv6 is enabled however, the plan states that implementation was not being\nconsidered since it was not required to meet the OMB mandate.\n\nIn December 2008, the CIO Council issued draft guidance6 for adopting IPv6 within the\nFederal government. According to the guidance, the next phase is the deployment of\nsecure, end-to-end, IPv6-enabled network services which support federal agency core\nmissions and applications. The guidance establishes a proposed timeline of January 2010\nfor Federal agencies to begin the transition phase. With the transition one year away,\nNARA should update the Impact Analysis to identify and address those risks and\nchallenges associated with the transition and maintaining a dual-stack network. Knowing\nwhat risks there are and how to mitigate them appropriately will lessen problems in the\nfuture. If challenges and risks are not addressed, NARA will face potentially increased\ncosts and security risks associated with the transition.\n\nManagement Comments on the Finding\n\nThe CIO stated that IPv6 has been identified as one of a number of interrelated network\ntechnologies in the Enterprise Architecture to be incorporated into the future design of\nNARANET. Specifically, NARA is migrating from a Frame Relay service to\nMultiprotocol Label Switching (MPLS) services under the Networx contract and OMB\'s\nTrusted Internet Connections requirement will force a complete reconfiguration of\nNARA\'s Internet Service Provider interface at the network edge. The CIO stated that the\nintegration risks and complexities oftransitioning to IPv6 require that it be pursued as\none element of a comprehensive NARANET reengineering strategy and that to do\notherwise would introduce unacceptable business risk, cost, and operational complexity\ntoNARA.\n\nThe CIO stated that several statements in the draft report prematurely highlight the need\nto address "future" obstacles, risks, and challenges associated with implementing IPv6 in\nNARA\'s production environment. The CIO agreed that additional work efforts will be\nrequired in the future when NARA transitions to IPv6 deployment and operation,\nhowever, she did not believe that these "future" work efforts are applicable to satisfying\nthe OMB mandate of verifying IPv6 capabilities in the network core.\n\n\n\n\n6Architecture and Infrastructure Committee, Federal Chief Information Officers Council, "The Business\nCase and Roadmap for Completing IPv6 Adoption in US Government," Draft, version 0.1, December 22,\n2008\n\n                                             Page 12\n                           National Archives and Records Administration\n\x0c                                                                       OIG Audit Report No. 09-05\n\n\nAudit Response\n\nWe agree that transitioning to IPv6 should be part of the comprehensive NARANET\nreengineering strategy however, we do not agree with the CIO\'s approach to delay\naddressing risks with IPv6 until IPv6 is deployed and in operation at NARA. The\npurpose of creating an impact analysis was to determine fiscal and operational impacts\nand risks of migrating to IPv6. NARA officials focused on satisfying the OMB mandate\nto verify IPv6 capabilities in the network core by June 30, 2008 instead of creating a\ncomprehensive plan to prepare for the eventual transition to IPv6. The risks and\nchallenges associated with IPv6 need to be addressed now in order to plan how those\nrisks will be mitigated when IPv6 is implemented.\n\nRecommendation 2\n\nThe Assistant Archivist for Information Services/CIO should update the IPv6 Impact\nAnalysis to address the security and business risks associated with implementing IPv6 or\nobtain a written waiver from OMB that waiting until IPv6 is implemented to address risks\nis an acceptable posture.\n\nManagement Comments\n\nThe CIO agreed with the recommendation but stated this should be handled as part of the\nNARANET redesign project. The CIO added that this should not be inferred as an issue\nof compliance with the past OMB M-05-22 mandate requiring a specific impact analysis\nat a past point in time. According to the CIO, risks associated with "implementing" IPv6\nwere not applicable to this project because there was no requirement or intent to\n"implement" IPv6 in production, just to verify certain IPv6 capabilities in the network\ncore.\n\nAudit Response\n\nWhile the CIO indicated she agreed with this recommendation, her comments show that\nshe does not agree with the intent of the recommendation. This recommendation\naddresses NARA\'s lack of planning for the transition to IPv6. The impact analysis was\nto aid agencies in planning for the transition by identifying fiscal and operational impacts\nand risks of migrating to IPv6. NARA has not identified those impacts and risks because\nNARA officials focused their planning efforts on meeting the OMB June 30, 2008\ndeadline to verify the capability of the network core, instead of planning for the eventual\ntransition to IPv6. It is imperative that NARA identify potential issues and risks with the\ntransition to IPv6 and ensure that risks are appropriately mitigated before IPv6 is\nimplemented. We revised the recommendation so that if the CIO continues to believe\nthat addressing IPv6 risks and challenges can be delayed until NARA implements IPv6\nthen she can request a written waiver from OMB that this is an acceptable posture.\n\n\n\n\n                                          Page 13\n                        National Archives and Records Administration\n\x0c                                                                       OIG Audit Report No. 09-05\n\n\nRecommendation 3\n\nThe Assistant Archivist for Information Services/CIO should ensure employees\nresponsible for planning, implementing, maintaining, and securing an IPv6 network for\nNARA receive appropriate IPv6 training.\n\nManagement Comments\n\nThe CIO agreed with this recommendation, but believed that this should be handled as\npart ofthe NARANET redesign project. The CIO also noted that this is not a matter of\ntraining but rather a skill required for network engineers going forward, similar to IPv4\ncurrently.\n\nAudit Response\n\nWhile the CIO indicated she agreed with this recommendation, her comments show that\nshe does not agree with the intent of the recommendation. We continue to disagree with\nthe CIO\'s position that IPv6 training would only be needed for network engineers.\nAccording to the CIO Council, most IT personnel will require formalized training. In\ntheir Transition Guidance, the CIO Council identifies four main categories of education:\nawareness, architectural, operational, and specialized. In order to help ensure a\nsuccessful transition to IPv6, the CIO should provide appropriate training to those\nemployees responsible for planning, implementing, maintaining, and securing an IPv6\nnetwork.\n\n\n\n\n                                          Page 14\n                        National Archives and Records Administration\n\x0cControls Not In Place to Ensure New IT Procurements were IPv6 Compliant\n\nOrders for IT networking equipment did not include a requirement for IPv6 compliant\nequipment. This occurred because management controls identified in the IPv6 Transition\nPlan were not implemented. OMB Memorandum 05-22 states that in order to avoid\nunnecessary costs in the future, agencies should, to the maximum extent practicable,\nensure that all new IT procurements are IPv6 compliant. As a result of not implementing\nnecessary management controls, NARA may have to spend additional funds to acquire\nIPv6 compliant equipment.\n\nAccording to OMB Memorandum 05-22, any new IP product or system developed,\nacquired, or produced must:\n\n   \xe2\x80\xa2 \t Interoperate with both IPv6 and IPv4 systems and products;\n\n   \xe2\x80\xa2 \t If not initially compliant, provide a migration path and commitment to upgrade to\n       IPv6 for all application and product features by June 2008; and\n\n   \xe2\x80\xa2 \t Have available contractor/vendor IPv6 technical support for development and\n       implementation and fielded product management.\n\nAccording to NARA\'s IPv6 Transition Plan, management controls were to be\nimplemented in the Enterprise Architecture, Capital Planning and Investment Control\n(CPIC), Systems Development Life Cycle (SDLC) and procurement processes in order to\nverify and assure IPv6 compliance. The transition schedule shows these controls should\nhave been implemented during the third quarter ofFY 2006. NARA Interim\nDirective 801-2 "Review ofIT Investments" was updated in July 2006 however, the\nrecommended controls identified in the transition plan were not included in the revision.\nNARA Directive 805 "Systems Development Life Cycle" was last updated in January\n2002 with two supplements to the directive issued in July 2005. Neither document\naddressed the controls identified in the transition plan.\n\nNH contractor support personnel provided the Enterprise Architecture Conformance\nReview checklist they use to review product plans. The checklist includes a box to verify\nwhether IPv6 compliance requirements were specified. While this checklist is useful, it\nhas some limitations and cannot be relied on as the only review for IPv6 requirements.\nFor example, this checklist is used only by the contractor support personnel and the\ncontractors do not review every product proposal. Also, the checklist is only used in the\nreview of full product plans therefore, projects requiring only a summary proposal or\npurchases of IT equipment outside the CPIC process would not be reviewed for IPv6\ncompliance.\n\nWe reviewed a sample of nine IT purchases occurring between September 2005 and\nSeptember 2008. As shown in Table 1 "Review ofIT Purchases," none ofthe orders\nreviewed contained a requirement that the equipment had to be IPv6 compatible. In\naddition, only three of the nine orders went through the CPIC process. Of the three that\n\n\n\n                                         Page 15\n                       National Archives and Records Administration\n\x0c                                                                                  OIG Audit Report No. 09-05\n\n\ndid go through the CPIC process, evidence was available to show that IPv6 compliance\nwas considered during the acquisition process for only one of the orders.\n\n                                      Table 1. Review of IT Purchases\n\n                    I                                            Il\xc2\xbb.v6 RequireIllents   IfV6Compliance\n                                                                 \xc2\xb7\xc2\xb7Reviewed ~spR:rt        . Included\n                                                                                             ,  ",",\'\n                                                                                                        in\n  Order No.     ,              ~~sc~iption     Order Amount        of ePIC Process?            lilrder?\n                          ..\n\n\n\n1. NAMA-07-F\xc2\xad                                                                                    No\n                                Switches          $2,003,376              No\n0136\n\n2. NAMA-08-F\xc2\xad                                                                                    No\n                          PBX Upgrade             $1,197,387             Yes\n0148\n\n3. NAMA-06-F\xc2\xad                                                                                    No\n                                Switches           $507,721              N/A\n0107\n\n4. NAMA-05-F\xc2\xad                  Cisco 3845                                                        No\n                                                   $340,028              N/A\n0108                             routers\n\n5. NAMA-07-F\xc2\xad           Citrix Server and                                                        No\n                                                   $268,231               No\n0146                    Access Gateway\n\n                           Cisco lOS,\n6. NAMA-08-M\xc2\xad               memory                                                               No\n                                                   $216,111              N/A\n0098                      upgrades, and\n                             switch\n\n7. NAMA-07-F\xc2\xad             Redundant                                                              No\n                                                   $73,698               N/A\n0116                    Switches for STL\n\n                            Essential\n8. NAMA-06-F\xc2\xad            Elements of the                                                         No\n                                                   $73,678               N/A\n0138                     COOP Network\n                          and Firewall\n\n9. NAMA-07-F\xc2\xad                Switches,                                                           No\n                                                   $69,597               N/A\n0120                    fIrewall, & routers\n\n\nIn one example, NARA planned an upgrade of obsolescent NARANET switches in\nFY 2007. The contract was awarded for $2 million and did not mention a requirement\nfor IPv6 compliant equipment in the Request for Quote or the order. The replacement of\nNARANET switches went through the CPIC process however, the need for IPv6\ncompliant equipment was not mentioned in the product proposal. NH support contractors\nwere not asked to review this full product plan therefore, an Enterprise Architecture\nconformance review checklist was not completed for this project.\n\nIn another example, NARA bought equipment in September 2005 that had to be upgraded\nor replaced in order for the devices to be IPv6 compliant. NARA spent $340,000 for 40\nCisco 3845 routers with accessories. The devices were not IPv6 capable because the\n\n                                                     Page 16\n                                   National Archives and Records Administration\n\x0c                                                                      OIG Audit Report No. 09-05\n\n\nrouter operating system did not have the feature pack needed to support IPv6 traffic. In\nSeptember 2008, NARA spent $216,000 to purchase upgrades for the router operating\nsystems, flash memory cards, and memory upgrades.\n\nA key milestone identified in NARA\'s Transition Plan was to adjust standard contracting\nlanguage to assure that any new products and services procured by the agency would be\nIPv6 compliant or would have a commitment from the vendor to upgrade to IPv6\ncompliance. This management control was to be in place by June 30, 2006. An NH\nofficial stated that standard contract language was sent to the Acquisitions Services\nDivision (NAA) to be included in the NARA Procurement Guide around June 2006\nhowever, NAA did not update the guide due to resource issues. If this management\ncontrol is not implemented, NARA may have to spend additional funds to acquire IPv6\ncompliant equipment.\n\nRecommendation 4\n\nThe Assistant Archivist for Administration should direct the Director, Acquisitions\nServices Division to develop standard contract language for all IT orders to require IT\nproducts and services be IPv6 compliant.\n\nManagement Comments\n\nThe Director NAA concurred with this recommendation stating that he will add a\nstatement to IT equipment purchases that all equipment and software delivered to NARA\nmust be IPv6 compliant.\n\nRecommendation 5\n\nThe Assistant Archivist for Information Services/CIO should update NARA Interim\nGuidance 801-2 and NARA Directive 805 to include those management controls\nidentified in the NARA IPv6 Transition Plan to ensure all NARA IT projects, systems,\nand associated procurements are IPv6 compliant.\n\nManagement Comments\n\nThe CIO disagreed with this recommendation as written and asked that the OIG\nreconsider the approach. According to the CIO, NARA 812 and the Enterprise\nArchitecture already contain this requirement. In addition, the CIO stated that it may not\nmake sense to put specific technology requirements directly into the CPIC and SDLC\npolicy documents because it would create a constant need to update and change policy\nevery time a new technology requirement came along or an old technology requirement is\nretired. The CIO stated fixing management controls around acquisition and their\napproval and signoff procedures may be a better option.\n\nAudit Response\n\nWe do not agree with the CIO that current controls within the Enterprise Architecture\nadequately address this requirement. In addition, management controls for ensuring IPv6\n\n                                         Page 17\n                       National Archives and Records Administration\n\x0c                                                                      OIG Audit Report No. 09-05\n\n\n\nrequirements cannot be limited to only the acquisition process. Planning for new projects\nand systems along with associated procurements involve both the CPIC and SDLC\nprocesses. The IPv6 Transition Plan identified specific management controls that should\nbe implemented within the CPIC and SDLC processes. For example, the plan\nrecommends that controls be established within the Decide phase of the CPIC process to\nspecifically identify IPv6 compliance as part of the proposed solution and ensure that\nIPv6 costs are accurately reflected in the cost estimates. Including controls within NARA\nInterim Guidance 801-2 and NARA Directive 805 is necessary to ensure NARA\'s\ncompliance with OMB policy.\n\n\n\n\n                                         Page 18\n                       National Archives and Records Administration\n\x0c                                                                                             Appendix A\n                      National Archives and Records Administration\n                                                                                             8601 Adelphi Road\n                                                                            College Park, Maryland 20740-6001\n                  .FEB 27 2009\nDate:\n\nTo:          Office of the Inspector General (OIG)\n\nFrom:        Office of Information Services (NH)\n\nSubject:     Draft Report 09-05, Audit ofNARA\'s Transition to Internet Protocol Version 6 (IPv6)\n\n             We have reviewed the draft OIG Report No. 09-05, January 16,2009, titled Audit ojNARA \'s\n            Transition to Internet Protocol Version 6. We have also met with OIG staff on two occasions\n            to discuss the draft. First, we want to thank your staff for meeting with us and providing a\n            draft report that is well written and organized--it is clear that the auditor dedicated significant\n            time in understanding the issues and presenting a coherent argument.\n\n             Nevertheless, based upon several of the findings and the recommendations set forth in this\n             draft report, we believe we mustfespond thoroughly to several issues, which in our opinion,\n            reflect misinterpretations regarding NARA\'s response to OMB Memo M-05-22, Transition\n            Planningfor Internet Protocol Version 6. In the table attached, we provide detailed\n            responses to the draft audit report. The OIG made five recommendations; we concurred with\n            two recommendations with comment; we disagreed with two recommendations, and one\n            recommendation was to the Assistant Archivist for Administration. Our response to each\n            recommendation is found on the attached matrix.\n\n            A summary of our major observations and comments on the draft follow:\n\n            1. Although we recognize that the OIG is simply restating OMB\'s language, we believe\n           OMBM-05-22 does not outline a viable transition strategy or any other type of strategy for\n           IPv6 implementation. This memorandum merely asserts\' a general policy mandate for\n           planning IPv6 adoption. We believe it is inappropriate to consider this policy mandate and its\n           associated guidance a valid, step-by-step, conformance testing and implementation approach\n           for establishing IPv6 capability. In our opinion, transitioning to IPv6 cannot be undertaken or\n           validated as an end unto itself. The integration risks and complexities oftransitioning to IPv6\n           require that it be pursued as one element of a comprehensive NARANET reengineering\n           strategy. To do otherwise would introduce unacceptable business risk, cost, and operational\n           complexity to NARA.\n\n           2, We believe we substantively addressed the requirements to develop an IPv6 test plan as set\n           forth by the M-05-22 mandate and supplemental OMB guidance. We also believe that the\n           tests we conducted in our laboratory and on our production network conform to OMB\n           guidance. In our opinion, we have tested beyond what is implied by the mandate and our tests\n           have unequivocally established that NARA\'s corelbackbone is capable of carrying IPV6 and\n           IPv4 traffic simultaneously. In addition, we demonstrated our capability to communicate\n           externally through emulation in our laboratory,\n\n\n\n\n                                  NARA \'s web site is http://www.archives,gov\n\x0c 3. Our test reports have been written to show our capability regarding the essential intent of\n the OMB mandate, that being, to pass IPv6 packets through the network core. The reports are\n surely not "legal" documents required to show adherence to certain step-by-step procedures\n asserted by OMB or any other organization. We want to make it clear that our IPv6 tests,\n whether conducted in our laboratory or in the production network, are not "conformance"\n tests in the formal, engineering sense of that term, and that any inference that OMB guidance\n provides true IPv6 conformance testing scenarios and procedures is mistaken. Formal\n conformance testing requires rigorous test suites and test beds to verify specific engineering\n requirements against well-understood standards. Since NISI is just now in the process of\n establishing IPv6 compliance standards and test mechanisms for the Federal government, we\n feel it is not valid to imply that our engineering methods are non-conforming or invalid based\n upon general statements of intent in a policy mandate or because we did not exactly mirror a\n set of ad-hoc, test scenarios.\n\n4. What OMB has produced over the last couple of years regarding IPv6 testing is neither a\nrigorous test suite nor a set of well-understood standards. What\'OMB has produced can only\nbe considered guidan~e to assess the general viability of certain, specific IPv6 capabilities\nwithin certain parts of an agency\'s network. Additionally, the guidance has changed over\ntime, presumably based on feedback from Federal agencies. Initially, IPv6 was supposed to\nhave been implemented or "used" within the core of an agency\'s network by June 30, 2008.\nSubsequent OMB guidance changed the requirement from be "used" to being "ready to pass\nIPv6 traffic and support IPv6 addresses within the core" by June 30, 2008.\n\nNeither has there been a consistent definition of "corelbackbone." The current definition\nidentifies major "aggregation nodes" as "corelbackbone." NARA can identify such\naggregation nodes within our current Frame Relay environment, but such identification would\nnot be possible if an agency has an MPLS network. For an MPLS network, one may be able\nto approximately identify a "core/backbone" by saying "a set of nodes experiencing the\nheaviest traffic." The point is that "corelbackbone" can only be defined within a certain\ncontext, and it is a general concept that is only minimally useful for the purpose of\nengineering network implementations. It is not possible for OMB or any other organization to\nhave procedures, tests and standards defined for a multitude of unknown "corelbackbone"\ndefinitions.\n\n5. OMB continues to refine guidance related to IPv6 in response to feedback from Federal\nagencies, and in recognition oflI product and service market realities. We expect that this\nrefinement will continue for the foreseeable future. Irrespective of these future\nconsiderations, Federal agencies can plan for the arrival oflPv6; and we are doing so.\n\nWe have identified IPv6 as one of a number of interrelated network technologies in the\nEnterprise Architecture (EA) to be incorporated into the future design ofNARANET. In the\nshort-term, we have taken the OMB IPv6 mandate seriously and have performed significant\nIPv6 verification testing--within the real world constraints of IPv6 adoption and availability in\nthe IT product and service marketplace, and ever cognizant of the risks to NARA\'s business\noperations. We would add that expending resources to perform additional testing as\nprescribed by OMB and as recommended in the report would not be a fruitful activity since\n\n\n\n\n                             NARA \'s web site is http://www.archives.gov\n\x0cwe would be testing on an infrastructure that will be replaced. Currently, (a) NARA is now\nmigrating from Sprint\'s Frame Relay services to Qwest\'s MPLS services under Networx, and\n(b) the OMB Trusted Internet Connections (TIC) requirement will force a complete\nreconfiguration ofNARA\'s Internet Service Provider (lSP) interface at the network edge,\nactivities that would make additional testing as prescribed by the OMB Demonstration Plan of\nquestionable value.\n\nFinally, we believe that there are several statements in the draft report that prematurely\nhighlight the need to address "future" obstacles, risks, and challenges associated with\nimplementing IPv6 in NARA\'s production environment. Although it is true that additional\nwork efforts will be required in the future when NARA transitions to IPv6 deployment and\noperation, we do not believe that these "future" work efforts are applicable to satisfying the\nM-05-22 mandate of verifying IPv6 capabilities in the network core.\n\nWe hope you consider these comments and those on the attached matrix as you develop your\nfinal draft of the audit report. As always, we are available to discuss any issues and meet with\nyour and your staff. If you have specific questions about the text of the response, please call\nHaseen Uddin on 301-837-3072 or via email at haseen.uddin@nara.gov.\n\n\n\n\nAttachment: Detailed Comments on 010 IPv6 Audit Report No. 09-05\n\n\n\n\n                           NARA \'s web site is http://www.archives.gov\n\x0c                               Detailed Responses to OIG IPv6 Audit Report No. 09-05, January 16, 2009\n\n                          Report Statement                                     Page I                            Comment I Rationale\n                                                                             Paragraph\n\nTo guide Federal Government agencies in their transition to IPv6, in        Page 1 /      We do not agree that M-05-22 outlines a transition strategy.\nAugust 2005, the Office of Management Budget issued Memorandum              Paragraph 2\nM-OS-22, "Transition Planning for Internet Protocol Version 6", which\n                                                                                          Although we recognize that the OIG is simply restating OMB\' s\noutlined a transition strategy for agencies to follow and established the\n                                                                                          language, in our opinion OMB M-05-22 does not outline a transition\ngoal for all Federal agency network backbones to support IPv6 by June\n                                                                                          strategy or any other type of strategy. It merely asserts a general\n30,2008.\n                                                                                          policy mandate for planning IPv6 adoption.\n\nNARA did not comply with the OMB mandate because NARA has not               Page 1 /      We disagree with this assertion. We believe that we verified that\nverified whether the network backbone is capable of supporting IPv6.        Paragraph 4   the NARANET backbone is capable of supporting IPv6. /\nSpecifically, IPv6 testing on the production environment did not test\nNARA\'s ability to transport IPv6 traffic through all devices in the core\n                                                                                          Our production testing conclusively verified and documented that\nnetwork and did not test whether NARA could successfully receive and\n                                                                                          IPv6 packets can be propagated on and routed through the core of\ntransmit IPv6 traffic outside NARA\'s network. As a result, NARA\n                                                                                          NARANET. Our simulations in the lab proved that our network\ndoes not have assurance that the planned implementation strategy will\nwork.                                                                                     equipment configurations are capable of routing IPv6 packets to and\n                                                                                          from NARANET at the edge (outside) of the network. The lab\n                                                                                          simulations we performed were our best alternative for testing the ISP\n                                                                                          interface at the time of the test because our ISP could not provide a\n                                                                                          native IPv6 interface at that time.\n\n                                                                                          This mandate did not assert a requirement to "implement" IPv6 in\n                                                                                          production, so we believe that any "implementation strategy", outside\n                                                                                          of our strategy for verification testing of certain IPv6 capabilities, is\n                                                                                          not germane to this mandate or this discussion. Both the last section\n                                                                                          ofM-05-22 and Appendix C state that additional guidance on IPv6\n                                                                                          will be provided by the CIO Council Architecture and Infrastructure\n                                                                                          Committee. This subsequent guidance stated that IPv6 does not need\n                                                                                          to be operationally enabled by June 30, 2008; i.e., there was not an\n                                                                                          "implementation" requirement to make IPv6 operational, only a\n                                                                                          requirement to verify certain IPv6 capabilities in the network core.\n\x0c                              Detailed Responses to OIG IPv6 Audit Report No. 09-05, January 16, 2009\n\n                          Report Statement                                     Page I                             Comment I Rationale\n                                                                             Paragraph\n\nWe also found that additional work is needed in order for NARA to            Page 1/       We believe this paragraph inaccurately highlights the need to\naddress future obstacles and challenges. For example, NH officials           Paragraph 5   address the "future" obstacles, risks, and challenges associated\ninvolved in planning for the transition to IPv6 did not identify or                        with implementing IPv6 in NARA\'s production environment.\naddress risks and challenges associated with the transition. If not                        Although it is true that additional work efforts will be required in\naddressed, these risks and challenges may result in increased costs and                    the future when NARA transitions to IPv6 deployment and\nsecurity risks associated with the transition to IPv6. In addition, new IT                 operation, we do not believe that these "future" work efforts are\nequipment orders did not contain a requirement for products to be IPv6                     applicable to satisfying the M-OS-22 mandate to verify IPv6\ncompliant or interoperate with both IPv4 and IPv6 systems. As a result,                    capabilities in the network core.\nNARA may have to spend additional funds to acquire IPv6 compliant\nequipment.                                                                                 The sUlmnary paragraph of our strategy states: "Since NARA had no\n                                                                                           immediate operational need for IPv6, it was determined that the\n                                                                                           strategy going-forward would be to align all IPv6 engineering,\n                                                                                           acquisition, and implementation activities with other network\n                                                                                           engineering projects and business application release schedules. This\n                                                                                           approach would eliminate the need for multiple and costly system\n                                                                                           testing, rollout, and infrastructure recertification efforts." (Section 1.2\n                                                                                           page 3, IPv6.Closeout.Report).\n\n                                                                                           The risks associated with the IPv6 verification testing activities\n                                                                                           required by the mandate are documented in section 10, page 41 of the\n                                                                                           IPv6.Implementation. Plan. Section 5, page 8 of the IPv6 Closeout\n                                                                                           Report summarizes additional risks and considerations that are key to\n                                                                                           the actual implementation of IPv6 at NARA.\n\n                                                                                           Although we agree that future risks associated with implementing,\n                                                                                           integrating, and operating IPv6 will need to be addressed (and they\n                                                                                           will be), we do not believe that they are germane to this mandate, or\n                                                                                           its specific deliverables and timeframes.\n\x0c   Detailed Responses to DIG IPv6 Audit Report No. 09-05, January 16, 2009\n\nReport Statement                    Page I                          Comment I Rationale\n                                  Paragraph\n\n\n                                              Although we agree that NARA may need to spend additional funds to\n                                              acquire IPv6 compliant equipment in future, this will be due to the\n                                              timing of and requirements for actual IPv6 implementation, not\n                                              necessarily because of past procurements. In the future, some\n                                              products that NARA has acquired may need upgrades for production\n                                              implementation of IPv6, some may not, and some may need to be\n                                              replaced. However, IPv6 is but one factor in these considerations and\n                                              many of the specific engineering requirements for production\n                                              operation of IPv6 by way of developing a bill of materials (BOM) are\n                                              unknown at this time. Additionally, NIST is just now establishing\n                                              IPv6 standards, and USG compliant IPv6 devices are not expected to\n                                              be available for acquisition until July 2010.\n\n                                              Although we agree that we should try to acquire IPv6 capable\n                                              products and services, we need to recognize that some product\n                                              vendors and service providers may not provide products that are IPv6\n                                              capable at this time, and some segments of the market like ISPs, IP\n                                              telephony vendors, security product vendors, and middle ware vendors\n                                              are not yet transitioned to IPv6. NARA needs to be careful not to\n                                              prohibit the use of products and services needed to support today\'s\n                                              business operations because those products do not yet support an\n                                              implementation requirement that may be more than 5 years in the\n                                              future. OMB M-05-22 actually states that:\n\n                                              "To avoid Ulmecessary costs in the future, you should, to the\n                                              maximum extent practicable, ensure that all new IT procurements are\n                                              IPv6 compliant. Any exceptions to the use of IPv6 require the\n                                              agency\'s eIO to give advance, written approval. .. "\n\x0c                            Detailed Responses to OIG IPv6 Audit Report No. 09-05, January 16, 2009\n\n                        Report Statement                                    Pagel                            Comment I Rationale\n                                                                          Paragraph\n\nIPv6 testing on the production environment did not demonstrate           Page 5 /      We disagree with this assertion. We believe that our tests and the\nNARA\'s ability to successfully transport IPv6 traffic on the network     Paragraph 1   corresponding results clearly demonstrate that NARA\'s backbone\nbackbone. This occurred because NH officials did not use the Chief                     can and did propagate, transport, and route IPv6 traffic. /\nInformation Officer (CIO) Council\'s Demonstration plan in developing\ntheir test plan and NARA did not contact any external agencies to                      IPv6 packets were clearly propagated, transported, and routed through\npartner with to complete the testing.                                                  the network backbone as is evident by the results of 7 different ping\n                                                                                       test scenarios. We believe our test results are valid even if they did\n                                                                                       not mirror the OMB Demonstration plan test scenarios verbatim.\n                                                                                       Also, verifying that the network backbone can transport IPv6 traffic\n                                                                                       does not require a test partner in our opinion.\n\nThe OMB deadline of June 30, 2008 has passed however; NARA has           Page 5 /      We disagree with this assertion. We believe we have clearly \n\nnot verified whether the network backbone is capable of supporting       Paragraph 4   demonstrated that IPv6 packets can traverse the backbone and \n\nIPv6. Specifically, IPv6 testing on the production environment did not                 we have documented test results that support our position. / \n\ntest NARA\'s ability to successfully transport IPv6 traffic through all\ndevices in the core network and did not test whether NARA could                        We believe that our tests and the corresponding results demonstrate\nsuccessfully receive and transmit IPv6 traffic outside NARA\'s network.                 that NARA can transport IPv6 traffic through the network core. IPv6\n                                                                                       packets were clearly propagated on and transported tlu\xc2\xb7ough the\n                                                                                       network core as is evident by the results of 7 different ping test\n                                                                                       scenarios. We also believe that the simulation tests we performed in\n                                                                                       the lab demonstrate that NARA\'s infrastructure components will be\n                                                                                       able to receive and transmit IPv6 traffic to/from NARA\'s network\n                                                                                       core, when there is a source for such traffic.\n\n                                                                                       OMB asserts at least two different definitions for the network\n                                                                                       corelbackbone as listed below. Based on OMB\'s second and most\n                                                                                       current definition, NARA\'s core would consist only of the Cisco 7206\n                                                                                       routers in College Park and St. Louis. By this definition, our testing\n                                                                                       actually went beyond this requirement.\n\x0c                               Detailed Responses to OIG IPv6 Audit Report No. 09-05, January 16, 2009\n\n                          Report Statement                                     Page I                             Comment I Rationale\n                                                                             Paragraph\n\n                                                                                              ..\n                                                                                          (1) E\xc2\xb7GOVFederal Govemment Transition Internet Protocol Version\n                                                                                          4 (IPv4) to Internet Protocol Version 6 (lPv6) Frequently Asked\n                                                                                          Questions, 2/15/06.\n\n                                                                                          "The "backbone" includes the wide area network (WAN) core up to\n                                                                                          the local area network (LAN) point of demarcation. The LAN\n                                                                                          demarcation point is the device (e.g., router, switch) which services\n                                                                                          the workstations)."\n\n                                                                                          (2) Demonstration Plan to Support Agency IPv6 Compliance, Version\n                                                                                          1.0, January 28, 2008.\n\n                                                                                          "For the purposes of the IPv6 transition, the core network (a.k.a.\n                                                                                          backbone network) is the set of network transport devices (routers,\n                                                                                          switches) that provide the highest level of traffic aggregation in the\n                                                                                          network, and thus at the highest level of hierarchy in the network."\n\nThe CIO Council emphasized that the demonstration oflPv6                    Page 61       We disagree with this assertion. The upgrades were made for the\ncompliance must be performed on the Agency\'s operational core               Paragraph 2   purposes of the test - directly on the NARANET production\nnetwork. However, NARA had to modify equipment software in order\n                                                                                          network devices and the test were executed concurrent with\nto perform the testing. Specifically, the operating software installed on\n                                                                                          normal NARANET operations on those devices. 1\nthe Cisco 3845 routers was not IPv6 capable. NH officials agreed to\nupgrade only those four devices involved in the testing and then remove\n                                                                                          Based on Cisco\'s "Hierarchical Networking Model" definition and\nthe update once the test was complete. Therefore, testing conducted\n                                                                                          OMB\'s Demonstration plan definition, the 3845 routers installed at\nwas not an accurate reflection ofNARA\'s operational core network.\n                                                                                          the field sites are part of the distribution layer of the network, not the\n                                                                                          "core" layer of the network. The 7206 routers that constitute the core\n                                                                                          layer of the network can support IPv6 operationally as-is from a\n                                                                                          HW/IOS perspective.\n\x0c                              Detailed Responses to DIG IPv6 Audit Report No. 09-05, January 16, 2009\n\n                          Report Statement                                     Page I                            Comment I Rationale\n                                                                             Paragraph\n\n\n                                                                                          Additionally, we went beyond this limited definition of "core" and\n                                                                                          actually included testing of selected field site 3845 routers in the\n                                                                                          network distribution layer across the entire country. However, the\n                                                                                          changes needed to be rolled-back from the 3845 routers because it is\n                                                                                          bad operations management practice to leave components installed\n                                                                                          that are not in use, and doing so would violate the "Least Privilege"\n                                                                                          NIST security control [AC-6.2]: "For moderate or high confidentiality\n                                                                                          information systems, NARA shall employ the concept of least\n                                                                                          privilege for specific duties and information systems (including\n                                                                                          specific ports, protocols and services) in accordance with risk\n                                                                                          assessments as necessary to adequately mitigate risk to NARA\n                                                                                          operations, NARA assets and individuals."\n\nAfter NARA conducted its test ofthe production network an NH                Page 6 /      We disagree that the CIO Council\'s guidance prescribing a\nofficial reported to OMB that testing addressed the scenarios identified    Paragraph 3   tunneling approach addresses the limitation of an agency\'s ISP\nby OMB and the tests were successful. However, the production               onto page 7   not being IPv6 enabled. In our opinion this is not valid from a\ntesting did not include tests to verify NARA\'s ability to transmit and                    network engineering perspective. /\nreceive IPv6 traffic from an external network. According to a summary\nof the test scenarios included in the verification results, NARA\'s\n                                                                                          When tunneling as suggested, IPv6 packets are not propagated or\nInternet Service Provider could not provide a native IPv6 Internet\n                                                                                          routed, IPv4 packets are. This is no different that what is performed\nenvironment to interface with the NARANET production infrastmcture\n                                                                                          on the IPv4 network today. The suggested tunneling configuration\nat the time of the test, therefore NARA emulated in previous tests an                     does not verify IPv6 traffic propagation or IPv6 routing.\nexternal IPv6 network to pass native IPv6 traffic to and from\nNARANET. Guidance from the CIO Council addressed this limitation\nstating if an agency\'s ISP is not IPv6 enabled or does not offer IPv6\ninternet services, a static IPv6 over IPv4 tunnel can be used between the\nagency gateway and the corresponding internet border gateway.\n\nAccording to OMB, agencies were required to ensure their network            Page 7 /      The OMB Demonstration plan guidance was promulgated too late\n\x0c                            Detailed Responses to OIG IPv6 Audit Report No. 09-05, January 16, 2009\n\n                        Report Statement                                   Page I \n                          Comment I Rationale\n                                                                         Paragraph \n\n                                                                                                h\'"\n\n\nbackbones were IPv6 capable. Agencies were to demonstrate this           Paragraph 2   to be used by NARA without seriously disrupting our IPv6 testing\ncapability by completing the tests identified in the CIO Council test                  and EA submission schedules. Although our test scenarios did\nguidance. However, NH officials did not use the CIO Council\'s                          not mirror the scenarios set forth in the OMB Demonstration\nDemonstration Plan and instead, wrote their own test scenarios. In                     plan verbatim, we believe they were sufficiently robust to\nDecember 2007, the CTO made the decision that the production testing                   demonstrate IPv6 capability in the network core. /\nwould be internal only because testing with an external partner would\nhave to be done using a tunnel which the CTO believed would not have                   The OMB Demonstration plan guidance did not come out until after\nany significance. No attempt was made to contact external agencies to                  NARA had completed lab testing and the majority of our production\ndiscuss partnering for the tests.                                                      test development and preparation was complete. (NARA was actually\n                                                                                       late on our schedule - we had planned to complete the production tests\n                                                                                       just prior to the XMAS holiday break.) The OMB Demonstration plan\n                                                                                       guidance was received only 28 days before NARA\'s EA submission\n                                                                                       was due, and it is important to remember that the EA submission\n                                                                                       required IPv6 work products. It was decided that it was too late to\n                                                                                       change the testing strategy because it would have caused rework that\n                                                                                        could have jeopardized completion of the tests and could have\n                                                                                        impacted our EA scores.\n\n                                                                                       As stated above, we simulated the ISP interface because\n                                                                                       VerizonlUUNET did not provide a native IPv6 feed at the time of the\n                                                                                       test. In our opinion, setting up a test-bed with an external agency\n                                                                                       would have been no more representative ofNARA\'s production\n                                                                                       environment than our simulations because an external agency test-bed\n                                                                                       is not an ISP nor would it necessarily simulate one. As stated above,\n                                                                                       tunneling IPv6 through IPv4 does not validate any aspect ofIPv6\n                                                                                       functionality in our opinion.\n\nThe purpose of the testing was to demonstrate the implementation and                   We disagree with this assertion. We believe that our tests and the\nthe interoperability of a dual-stack IPv6 and IPv4 architecture on the                 corresponding results clearly demonstrate that NARA\'s backbone\ncore ofNARANET however, based on the limitations of the testing,\n                                 ,~~         ,   ,~,~"\n                                                                                       can tra~.sJ1ort IPv6..and IPv4 trafr.ic c.oncurr~ntly. Installing lOS\n\x0c                              Detailed Responses to OIG IPv6 Audit Report No. 09-05, January 16, 2009\n\n                         Report Statement                                   Page I                               Comment I Rationale\n                                                                          Paragraph\nNARA does not have assurance that their IPv6 strategy will work or                                    \'"   c"y        ,,> ~   ,\n\n\n\n\nthat the core backbone is capable of supporting IPv6 traffic. In                      upgrades on the 3845s and retesting will just consume time and\n                                                                                      resources to repeat more instances of what we have already done.!\nSeptember 2008, NH officials purchased lOS upgrades for the 3845\nrouters so that routers will be IPv6 capable. Once the lOS upgrades are\n                                                                                      The test scenario in the CIO Council\'s Demonstration plan that\ninstalled, NARA should conduct IPv6 testing using the procedures\noutlined in the CIO Council\'s demonstration plan.                                     applies to the 3845s has already been performed. As noted above,\n                                                                                      depending on the definition of "core" that is used, the 3845s may not\n                                                                                      even be applicable. The testing to verify external interaction with the\n                                                                                      ISP that we simulated in the lab, and that this report considers invalid,\n                                                                                      would not involve the 3845s because external interaction tests occur\n                                                                                      on the edge of the network, not in the core.\n\n                                                                                      Practically speaking, when IPv6 gets operationally deployed it will\n                                                                                      likely be done incrementally on a router by router basis, so having\n                                                                                      some 3845 routers with IPv6 implemented and some without is\n                                                                                      actually a more realistic test.\n\n                                                                                      In our opinion, it is inaccurate to infer that performing testing as per\n                                                                                      the OMB Demonstration assures IPv6 capability or verifies the\n                                                                                      viability ofIPv6. The OMB prescribed test scenarios only investigate\n                                                                                      specific, limited IP capabilities. The OMB test scenarios do not\n                                                                                      provide a comprehensive validation of overall IPv6 readiness because\n                                                                                      they do not address applications, integration, management, security,\n                                                                                      performance, capacity, interoperability, IT market penetration and\n                                                                                      support, commercial viability, or the product and service certification\n                                                                                      aspects ofIPv6 migration. Additionally, NIST is just now\n                                                                                      establishing IPv6 standards, and USG compliant IPv6 devices are not\n                                                                                      expected to be available for acquisition until July 2010.\n\nRecommendation 1\n                                                                                      We disagree with this recommendation. We believe that\n                                                                                      additional testing as per the OMB Demonstration plan is\n\x0c                             Detailed Responses to OIG IPv6 Audit Report No. 09-05, January 16, 2009\n\n                         Report Statement                                   Page I                           Comment I Rationale\n                                                                          Paragraph\n\nThe Assistant Archivist for Information Services should ensure testing   Paragraph 4   unnecessary and that our resources would be better spent on the\nrequired by OMB and outlined in the Federal CIO Council Architecture                   overall NARANET reengineering project of which IPv6 is but one\nand Infrastructure Committee "Demonstration Plan to Support Agency                     part. /\nIPv6 Compliance," version 1.0 on NARA\' s operational core network is\nperformed and the test results as required by the CIO Council to                       In our exit review on IPv6, performed by GSA on behalf of OMB, no\ndemonstrate compliance are documented.                                                 concerns were expressed regarding our approach to the IPv6 mandate.\n                                                                                       Additionally, NARA received a perfect 5 out of 5 for the IPv6 criteria\n                                                                                       score on the FY07 and FY08 EA submissions. OMB is aware of how\n                                                                                       we tested, and why we tested in the manner that we did.\n\n                                                                                       The facts are that: (1) NARA is now migrating from Sprint Frame\n                                                                                       Relay services to Qwest MPLS services under Networx, and (2) the\n                                                                                       TIC requirement will force a complete reconfiguration ofNARA\'s\n                                                                                       ISP interface at the network edge would seem to make additional\n                                                                                       testing as prescribed by the OMB Demonstration plan on the current\n                                                                                       infrastructure even less useful.\n\n                                                                                       Additionally, OMB has release new draft guidance on IPv6 (The\n                                                                                       Business Case and Roadmap for Completing IPv6 Adoption in US\n                                                                                       Government, version 0.1, December 22,2008). This new guidance\n                                                                                       has new requirements and new timelines, so the past IPv6 activities\n                                                                                       associated with M-05-22 have been overtaken by new events and new\n                                                                                       requirements. Some items of note:\n\n                                                                                       (1) The new guidance aligns with the approach we have been\n                                                                                       pursuing and states that an IPv6 Transition Strategy Plan should be\n                                                                                       developed that integrates with other agency activities. \'The IPv6\n                                                                                       Transition Strategy Plan should be folded into the Enterprise\n                                                                                       Transition Strategy Plan, should link to core mission segments as\n                                                                                       appropriate, and should define a specific time line and set of\n\x0c   Detailed Responses to OIG IPv6 Audit Report No. 09-05, January 16, 2009\n\nReport Statement                    Page I                             Comment I Rationale\n                                  Paragraph\n\n                                                milestones to deploy the IPv6-enabled network services defined in the\n                                                IT Infrastructure Segment Architecture. As with any other teclmology\n                                                integration effort, the plmming effort should consider multiple\n                                                timelines, including:\n\n                                                \xe2\x80\xa2 Budget cycles\n\n                                                \xe2\x80\xa2 Technology refresh cycles\n\n                                                \xe2\x80\xa2 IT Infrastructure quality improvements\n\n                                               \xe2\x80\xa2 Equipment and software certification cycles\n\n                                               \xe2\x80\xa2 IT project dependencies\n\n                                               \xe2\x80\xa2 Technology standards development and adoption\n\n                                                 When developing the transition strategy, focus on ensuring that\n                                                 network, computing, application, and service components are enabled\n                                                 in a sequence that will generate the maximum amount of meaningful\n                                                 end-to-end IPv6 activity. At times, an inmlediate incremental change\n                                              i \thas advantages over waiting for all IPv6 features to be available in the\n                                                 next version of a product.\n\n                                               (2) IPv6 tests should be done in a lab environment - much like we\n                                               have done. "Setting up a test lab is important for the safe controlled\n                                               introduction of new technology into your network and prototyping\n                                               with an emphasis on small scale validation of targeted performance\n                                               outcomes (e.g. experimenting with secure IPv6-enabled teleworking).\n                                               Testing in a lab enables the agency IT group to perform tests that\n\x0c   Detailed Responses to OIG IPv6 Audit Report No. 09-05, January 16, 2009\n\nReport Statement                    Page I                               Comment I Rationale\n                                  Paragraph\n                                                                    .=                       .. ~\n                                              could potentially be disruptive or introduce a security risk if deployed\n                                              on the production network. The test environment shoulc;l be set up as\n                                              close as possible to resemble the production enviromnent. At first, the\n                                              test sites should not be cOlmected to the production network or to each\n                                              other."\n\n                                               (3) NIST is establishing an official IPv6 Test Program to truly verifY\n                                               IPv6 compliance ofIT products. "Following publication of the USG\n                                               IPv6 Standards Profile, an infrastructure to demonstrate IPv6 product\n                                               compliance needed to be set up. As a result, NIST is establishing a\n                                               testing program based on ISO 17025 accredited test laboratories and\n                                               standard reference tests, to assure compliance of Hosts, Routers and\n                                              Network Protection Devices. NIST is developing a document SP 500\xc2\xad\n                                              273 Guidance on IPv6 Test Methods and Validation, due for\n                                              pUblication late 2008. This is pre-requisite to open public review of\n                                              the test specifications, and Accreditation Bodies\' establishing\n                                              assessment programs, leading to the creation of Test Laboratories that\n                                              adhere to the ISO 17025 "General Requirements for the Competence\n                                              of Testing and Calibration Laboratories". The goal is to have USG\n                                              compliant IPv6 devices available for acquisition by July 2010.\n                                              Compliance is signaled by device vendors issuing a "Suppliers\n                                              Declaration of Conformance", based on ISO 17050. Specific\n                                              provisions of this SDOC require that host and router products be\n                                              tested for conformance and interoperability, and network protection\n                                              products undergo functional testing, in accredited laboratories.\n\n                                              (4) Regarding ISPs, we offer the following relevant quote: "The\n                                              technical stufffor IPv6 is done. IPv6 is ready. This is a business issue\n                                              in the internet service industry. The ISP community round the world\n                                              needs to pay attention ... They are persisting in the \'nobody is asking\n\x0c                                 Detailed Responses to OIG IPv6 Audit Report No. 09-05, January 16, 2009\n\n                            Report Statement                                   Page I \n                             Comment I Rationale\n                                                                              Paragraph \n\n                                                                                            ,h~U          ~~~\n\n\n\n\n                                                                                            for this\' mentality. They are not valuing business continuity as they\n                                                                                            should. When they finally wake up, there is going to be a mad\n                                                                                            scramble for IPv6 and they won\'t implement it properly". Vinton\n                                                                                            Cerf, September 30, 2008.\n\n. NH officials involved in planning for the transition to IPv6 did not                       We believe these paragraphs inaccurately highlight the need to\n. \tidentify or address risks and challenges associated with the transition.                  address "future" risks and challenges associated with\n   This occurred because NH officials have not updated the IPv6 Impact                       implementing IPv6 in NARA\'s production environment.\n   Analysis since June 2006 and based their planning activities on the                       Although it is true that additional work efforts will be required in\n   belief that NARA will not operationally enable IPv6 in the near term.                     the future when NARA transitions to IPv6 deployment and\n   If not addressed, these risks and challenges may result in increased                      operation, we do not believe that these "future" work efforts are\n   costs and security risks associated with the transition.                                  applicable to satisfying the M-05-22 mandate to verify IPv6\n                                                                                             capabilities in the network core by June 30, 2008. Additionally,\n OMB Memorandum 05-22 required agencies to begin an impact                                   we believe that we developed and submitted an IPv6 impact\n analysis that included both cost and risk elements. According to the                        analysis as per OMB\'s prescribed format and guidelines - and in\n memorandum, the risk analysis should include areas such as                                  fact, we submitted it to OMB for review on two separate\n dependencies and interoperability issues, business risks, and security                      occasions as part of our EA submissions. I\n risks. NARA\'s IPv6 Impact Analysis included a paragraph on each\n area associated with IPv6 implementation required by OMB M-05-22                            These paragraphs, ironically, make the very case we have been\n but did not fully address the associated risks. For example, the Impact                     asserting. We purposely pursued a strategy of "capability\n Analysis does not identify any dependencies or interoperability issues                      verification" rather than "production implementation" to avoid risk to\n involved with IPv6 even though several NARA systems were identified                         NARA. The reason we did not identify implementation, application,\n as dependent on the version of IP that is used and did not support IPv6.                    integration, and business risk is because we approached this effort as\n According to the Impact Analysis, "this project is only dependent upon                      a capability verification project, not an implementation project. In\n approval of the funding and staffing that is required to implement it. It                   other words, the management of these types of risks are applicable to\n  is completely self-contained and will not interoperate with any other                      future projects that will actually transition IPv6 to production\n system or project."                                                                         operations. They are not applicable to a project that is only verifying\n                                                                                             IPv6 capabilities in the network core.\n  The Impact Analysis did not identify any business impact or risk\n  associated with the transition to IPv6. However, several critical NARA                      Applications and integration were not even in scope for this initial\n\x0c                              Detailed Responses to DIG IPv6 Audit Report No. 09-05, January 16, 2009\n\n                          Report Statement                                   Page I                              Comment I Rationale \n\n                                                                           Paragraph \n\nbusiness applications, including the Case Management and Reporting\nSystem (CMRS) and the Archival Research Catalog (ARC), were found                        effort, although we did identify the applications that will have IPv6\nto be dependent upon the version of IP that is used. According to the                    dependencies when the production implementation of IPv6 is\nCTO, NARA has lots of homegrown applications that run on IPv4 and                        addressed. In our opinion, the OMB mandate did not require us to\n                                                                                         address application integration and rework by June 30, 2008.\nit has yet to be detennined what percentage of those applications can\neasily use IPv6. The CTO also stated ARC and CMRS would require\nsubstantial work to be able to support IPv6.\n\nIn another example, the Impact Analysis considered IPv6 to be no more     Page 8/\nor less secure than IPv4 and therefore, would not pose any new security                  We disagree and stand by our stated assertions for the\n                                                                          Paragraph 4    verification tests. IPv6 was purposely not made operational, so\nrisks to IT operations. Reports issued by the Government\nAccountability Office along with a Department of Homeland Security                       these risks would not be incurred using our verification test\n                                                                                         approach. /\nUS-CERT advisory discuss multiple security issues concerning IPv6.\nAccording to GAO, IPv6 creates new opportunities for network abuse if\nIPv6 capable devices are not properly managed. Two IPv6 features\xc2\xad                        This paragraph is just a general statement of potential risks; it does\nautomatic configuration and tunneling-could present serious risks to                     not specify risks applicable to this project that were not effectively\nfederal agencies. Automatic configuration can facilitate network                         identified and mitigated. We do not believe that our testing scenarios\nattacks because a rogue or unauthorized router may reconfigure                           exposed the agency to any auto configuring, tunneling, or poor IP\nneighboring devices by assigning them new addresses and routes.                          management risks. This paragraph actually supports our rationale for\nTunneling can permit unauthorized traffic into the network undetected.                   not making IPv6 operational at this time, re: security. This is one\nThe US-CERT alert warned federal agencies that unmanaged, or rogue,                      reason we pursued a capabilities verification approach, and rolled it\n                                                                                         back.\nimplementations ofIPv6 present network management security risks.\nNARA\'s Impact Analysis did not address these security risks.\n\nThe IPv6 Impact Analysis identified training costs for 15 NH              Page 8 /\nemployees involved in the IPv6 transition however, training has not                      IPv6 is not running in production operations so there is nothing\n                                                                          Paragraph 5    to train at this time. /\nbeen provided. According to GAO, a challenge to the transition will be    onto page 9\nmaintaining dual IPv4 and IPv6 environments for extended periods of\ntime. Maintaining two network protocols is challenging in that it adds                   In our opinion, the training requirement will not manifest itself until\n                                                                                         IPv6 goes into production operations. The engineers involved in the\n\x0c                              Detailed Responses to DIG IPv6 Audit Report No. 09-05, January 16, 2009\n\n                         Report Statement                                  Page I                              Comment I Rationale\n                                                                         Paragraph\n                                    .~"          \'\'\'\'\'\'\'\'\ncomplexity to network maintenance and associated costs are higher. It\nalso requires skilled personnel and may be difficult to maintain                       . test did not require training because IPv6 was part of their skill-set.\n                                                                                         This paragraph actually supports our rationale for not making IPv6\nhardware and software interoperability across dual environments.\n                                                                                         operational at this time, re: operations complexity. This is one reason\nNARA IPv6 planning documents did not address this challenge\n                                                                                         we pursued a capabilities verification approach, and rolled it back.\n\nRecommendation 2                                                        Page 9 /        We agree with the recommendation, but this should be handled as\n                                                                        Paragraph 4     part of the NARANET redesign project as per our stated strategy\nThe Assistant Archivist for Information Services should update the\n                                                                                        and OMB\'s new guidelines.\nIPv6 Impact Analysis to address the security and business risks\nassociated with implementing IPv6.\n                                                                                        This should not be infelTed as an issue of compliance with the past M\xc2\xad\n                                                                                        05-22 mandate requiring a specific impact analysis at a past point in\n                                                                                        time, which we did, in fact, provide. Additionally, risks associated\n                                                                                        with "implementing" IPv6 were not applicable to this project because\n                                                                                        there was no requirement or intent to "implement" IPv6 in\n                                                                                        production, just to verify certain IPv6 capabilities in the network core.\n                                                                                        We also assert that going forward; we need an impact analysis for the\n                                                                                        overall NARANET redesign, not just for IPv6 unto itself.\n\nRecommendation 3                                                        Page 9 /        We agree with the recommendation, but this should be handled as\n                                                                        Paragraph 5     part of the NARANET redesign project as per our stated strategy\nThe Assistant Archivist for Information Services should ensure                          and OMB\'s new guidelines.\nemployees responsible for planning, implementing, maintaining, and\nsecuring an IPv6 network for NARA receives appropriate IPv6 training.\n                                                                                        This should not be infelTed as an issue of compliance with the past M\xc2\xad\n                                                                                        05-22 mandate. We would note that this is not really a matter of\n                                                                                        training but rather a skill required for network engineers going\n                                                                                        forward - much like IPv4 currently.\n\nIn another example, NARA bought equipment in September 2005 that        Page II/Last    This is not a full characterization of what happened. /\nhad to be upgraded or replaced in order for the devices to be IPv6\n\x0c                              Detailed Responses to OIG IPv6 Audit Report No. 09-05, January 16, 2009\n\n                          Report Statement                                  Page I                             Comment I Rationale \n\n                                                                          Paragraph \n\n~ompliant.   NARA spent $340,000 f~r 40 Cisco 3845 routers with          Paragraph\naccessories. The devices were not IPv6 capable because the router                       These upgrades were not only purchased for IPv6, but also to support\noperating system did not have the feature pack needed to support IPv6                   the long term administration and management of Cisco\'s lOS\ntraffic. In September 2008, NARA spent $216,000 to purchase                             enterprise-wide and to support the transition to MPLS under Networx.\nupgrades for the router operating systems, flash memory cards, and\nmemory upgrades.\n\nRecommendation 4\n                                                                         Page 12/       While NA will provide a response to these recommendations, we\n                                                                         Paragraph 2    have the following comments as to their context: /\nThe Assistant Archivist for Administration should direct the Director,\nAcquisitions Services Division to:\n                                                                                        Although we agree that we should try to acquire IPv6 capable\n                                                                                        products and services, we need to recognize that some product\na.) Develop standard contract language for all IT orders to require IT\nproducts and services be IPv6 compliant; and                                            vendors and service providers may not provide products that are fully\n                                                                                        IPv6 capable at this time, and some segments of the market like ISPs,\n                                                                                        IP telephony vendors, security product vendors, and middleware\nb.) Update the NARA Procurement Guide to require all acquisitions of\nIT hardware, software, and services be IPv6 compliant.                                  vendors have not yet transitioned to IPv6. As stated in the very last\n                                                                                        paragraph of the IPv6 Closeout Report: "It may not make sense to re\xc2\xad\n                                                                                        engineer and upgrade platforms having a five year life expectancy to\n                                                                                        support a technology that is not expected to attain wide-scale adoption\n                                                                                        for five to ten years." NARA needs to be careful not to prohibit the\n                                                                                        use of products and services needed to support today\'s business\n                                                                                        operations because they don\'t yet support an implementation\n                                                                                        requirement that may be more than 5 years in the future. OMB M-05\xc2\xad\n                                                                                        22 actually states that:\n\n                                                                                        "To avoid unnecessary costs in the future, you should, to the\n                                                                                        maximum extent practicable, ensure that all new IT procurements are\n                                                                                        IPv6 compliant. Any exceptions to the use of IPv6 require the\n                                                                                        agency\'s CIO to give advance, written approval. .. "\n\x0c'